The class-action suit, filed in San Francisco, points fingers at what it calls shoddy data security and delayed disclosure.
Following the recent revelation that a security breach potentially exposed 40 million credit cards to data theft, a class-action suit was filed Monday against CardSystems Solutions, MasterCard and Visa on the behalf of California credit card holders and businesses accepting credit card payments.
The lawsuit, filed in San Francisco Superior Court, alleges that CardSystems Solutions, an Arizona-based credit card processing company, failed to keep consumers credit card data safe, breaking Visa and MasterCards "Data Security Standards," which forbid storing certain consumer information.
Also, the suit says CardSystems is liable for the security breach
because the company failed to "maintain a proper firewall and computer security system [and failed] to properly encrypt data, [and for] its unauthorized storage of consumer data."
The unprotected data purportedly included credit card holder names, credit card account numbers, bank names, information about credit card transactions, magnetic-stripe data, PIN verification codes and "other personal identifying information."
The suit also says CardSystems, along with Visa, MasterCard and credit card processor Merrick Bank didnt disclose the information in a timely manner.
CardSystems officials said the company did not discover the hack until May 22, and MasterCard said they discovered security violations as early as April 2005, which were traced back to the processing company.
"CardSystems should have known of its unreasonable data security prior to April 2005, as it was notified by other entities on or around the fourth quarter of 2004 that such consumer data was exposed and/or compromised and failed to take prompt remedial action or take steps to notify impacted consumers directly or indirectly through other entities," the lawsuit stated.
If these claims are proved to be true, this lack of action breaks Californias Unfair Competition Law, which protects against "unfair, unlawful and deceptive business practices," among others.
"Consumers, in our view, have the right to be immediately informed if the privacy and security of their credit card information have been violated so they can make an informed decision on whether to change account numbers or take some other prompt remedial action," Ira Rothkin, counsel for the consumer and business plaintiffs, said in a statement.
On June 17, MasterCard told its member financial institutions about the security breach, which had been under investigation since it was first discovered almost a month earlier. Investigators believe more than 200,000 credit cards accounts were exposed during the data theft. CardSystems also admitted that it had been improperly storing customer data on its network for undefined "research purposes."
Visa and other credit card vendors have yet to disclose whether cardholder information was stolen from their systems, citing that theyre staying mum because of law enforcement requests, in order to keep the investigation confidential.
But according to the suit, the Arizona FBI office handling the investigation said it was important for the public to be warned so card holders could keep a close watch on their credit card statements for unauthorized charges. The FBI also denies that it ever told CardSystems to stay tight-lipped about the security breakdown.
The suit was brought on behalf of Marin County resident Eric Parke, who has several Visa and MasterCard accounts, and Royal Sleep Mattress Clearance Center, which accepts the cards as payment for merchandise.
Visa representatives were not immediately available for comment. MasterCard spokesperson Sharon Gamsin stated, "We have not been served with the lawsuit yet, so we cannot comment on it."